[ic] {OT} hardening SSL without rejecting users

Jon Jensen jon at endpoint.com
Tue Apr 27 14:54:07 UTC 2010


On Mon, 26 Apr 2010, Grant wrote:

> I've been advised to harden my SSL in the following ways:
>
> 1. disable SSL 2.0
> 2. disable use of SSL ciphers which offer either weak or no encryption
> 3. disable anonymous SSL ciphers
>
> Will some website users not be able to use https if I do this?

Should be fine. That's all been good practice for years now.

A good Apache mod_ssl configuration to achieve that is:

SSLProtocol all -SSLv2
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP

Jon

-- 
Jon Jensen
End Point Corporation
http://www.endpoint.com/



More information about the interchange-users mailing list